If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Enjoy an ad free experience by logging in. Not a member yet? Register.

PHP login with session variables

I have a login script that uses session variables across the site to make sure a user is logged in on every page; the script works perfectly in firefox, but I run into problems in IE - it's as if IE doesn't store my session variables at all.

I think I've traced the issue to a security setting in IE (I can force IE to store session variables, and then it will work) but I don't want my users to have to change a setting in IE security in order to login.

Does anybody have a solution or a workaround for this? Is there a better way to have a 'members' section than with session variables?

This is very strange ... I often use sessions in log in scripts and never had such a problem. Could you post some of your code ? Probably some simplified version which works for you in FF, but not in IE ?

If cookies or specifically session cookies were disabled in your IE settings, it is likely the result of something you changed in your settings at some point in the past and would not be the case for the majority of the visitors to your site. Someone that is using FF or any other browser could have just as easily changed their cookie settings so that sessions would not work when they visit your site.

If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

If cookies or specifically session cookies were disabled in your IE settings, it is likely the result of something you changed in your settings at some point in the past and would not be the case for the majority of the visitors to your site. Someone that is using FF or any other browser could have just as easily changed their cookie settings so that sessions would not work when they visit your site.

I can't imagine why IE would have them off as default, especially with how useful they are. I've had the problem on several different machines; I think IE may turn them off automatically at a certain security-level. Regardless, I'm able to use those machines on other sites that seem to also use session variables or some other sort of cookie.

I think CFMaBiSmAd is right ... If a browser for some reason does not support session cookies and session trans-sid feature is off (which is considered not safe and in all recent PHP releases is off by default), it would be that the browser with session cookies turned off would not work with sessions. Just in case: using cookies only for a session or enabling trans-sid (transferring session ID via URL which is considered not safe) is controlled by the following options in php.ini:
session.use_trans_sid
session.use_cookies
session.use_only_cookies

I do not go into detail why turning session trans-sid feature on is considered not safe here ... Probably it would be a slightly off-topic. Still I would provide the explanation if you asked me of course ... I would be glad to answer any your questions about sessions I could ...

In your case I woujld give the following notes which I think cold be tried by you ...

1. You are using

PHP Code:

header('Location: ./index.php');

for redirects. Please notice that while relative URL's have been considered fine in HTTP 1.0, HTTP 1.1 requires to use absolute URL's in redirects as far as I know. I would advise to use absolute, not relative, URL's in your Location headers.

2. Please you the function session_write_close() right before sending your location header. Without it session data is sometimes lost on redirect.

3. This would not affect the functionality greatly, still I would recommend to exit the script after the redirect. Headers like Location are generally a recommendation for the browser to redirect. If you do not exit your script, the page content is normally sent to the web-client (ni our case browser) anyway. Generally the user does not see this, by in some particular cases it could be abused by a hacker ...

... This is slightly off-topic, but still: I do not see in your script if you redirect after successful login anywhere ... Still after successful login (after you have finished script debugging) I would generally recommend to use session_regenerate_id() as protection against Session Fixation attacks. Please ask more questions if you consider this particular comment unclear - I do not go into detail here now since particularly session_regenerate_id() would not affect the situation with IE - this is only a general security note.

Users who have thanked SKDevelopment for this post:

I had a similar problem where I'd switched to a new computer and suddenly the sessions variables were all being lost. Then I read CFMaBiSmAd's post and realised I hadn't bothered looking in the Apache error log.

Lo and behold, it told me the path for storing the sessions cookies in did not exist. What I'd done was create the folder relative to my website (htdocs) instead of at the root of the drive.